#
# Synchronizer settings
#
Sync {
  Mode FTFW {
    #
    # Size of the resend queue (in objects). This is the maximum
    # number of objects that can be stored waiting to be confirmed
    # via acknoledgment. If you keep this value low, the daemon
    # will have less chances to recover state-changes under message
    # omission. On the other hand, if you keep this value high,
    # the daemon will consume more memory to store dead objects.
    # Default is 131072 objects.
    #
    # ResendQueueSize 131072

    #
    # This parameter allows you to set an initial fixed timeout
    # for the committed entries when this node goes from backup
    # to primary. This mechanism provides a way to purge entries
    # that were not recovered appropriately after the specified
    # fixed timeout. If you set a low value, TCP entries in
    # Established states with no traffic may hang. For example,
    # an SSH connection without KeepAlive enabled. If not set,
    # the daemon uses an approximate timeout value calculation
    # mechanism. By default, this option is not set.
    #
    # CommitTimeout 180

    #
    # If the firewall replica goes from primary to backup,
    # the conntrackd -t command is invoked in the script.
    # This command schedules a flush of the table in N seconds.
    # This is useful to purge the connection tracking table of
    # zombie entries and avoid clashes with old entries if you
    # trigger several consecutive hand-overs. Default is 60 seconds.
    #
    # PurgeTimeout 60

    # Set the acknowledgement window size. If you decrease this
    # value, the number of acknowlegdments increases. More
    # acknowledgments means more overhead as conntrackd has to
    # handle more control messages. On the other hand, if you
    # increase this value, the resend queue gets more populated.
    # This results in more overhead in the queue releasing.
    # The following value is based on some practical experiments
    # measuring the cycles spent by the acknowledgment handling
    # with oprofile. If not set, default window size is 300.
    #
    # ACKWindowSize 300

    #
    # This clause allows you to disable the external cache. Thus,
    # the state entries are directly injected into the kernel
    # conntrack table. As a result, you save memory in user-space
    # but you consume slots in the kernel conntrack table for
    # backup state entries. Moreover, disabling the external cache
    # means more CPU consumption. You need a Linux kernel
    # >= 2.6.29 to use this feature. By default, this clause is
    # set off. If you are installing conntrackd for first time,
    # please read the user manual and I encourage you to consider
    # using the fail-over scripts instead of enabling this option!
    #
    # DisableExternalCache Off
  }

  #
  # Multicast IP and interface where messages are
  # broadcasted (dedicated link). IMPORTANT: Make sure
  # that iptables accepts traffic for destination
  # 225.0.0.50, eg:
  #
  #  iptables -I INPUT -d 225.0.0.50 -j ACCEPT
  #  iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
  #
  Multicast {
    #
    # Multicast address: The address that you use as destination
    # in the synchronization messages. You do not have to add
    # this IP to any of your existing interfaces. If any doubt,
    # do not modify this value.
    #
    IPv4_address 225.0.0.50

    #
    # The multicast group that identifies the cluster. If any
    # doubt, do not modify this value.
    #
    Group 3780

    #
    # IP address of the interface that you are going to use to
    # send the synchronization messages. Remember that you must
    # use a dedicated link for the synchronization messages.
    #
    IPv4_interface 240.1.0.<%= @internal_address.rpartition(".").last %>

    #
    # The name of the interface that you are going to use to
    # send the synchronization messages.
    #
    Interface conntrd

    # The multicast sender uses a buffer to enqueue the packets
    # that are going to be transmitted. The default size of this
    # socket buffer is available at /proc/sys/net/core/wmem_default.
    # This value determines the chances to have an overrun in the
    # sender queue. The overrun results packet loss, thus, losing
    # state information that would have to be retransmitted. If you
    # notice some packet loss, you may want to increase the size
    # of the sender buffer. The default size is usually around
    # ~100 KBytes which is fairly small for busy firewalls.
    #
    SndSocketBuffer 1249280

    # The multicast receiver uses a buffer to enqueue the packets
    # that the socket is pending to handle. The default size of this
    # socket buffer is available at /proc/sys/net/core/rmem_default.
    # This value determines the chances to have an overrun in the
    # receiver queue. The overrun results packet loss, thus, losing
    # state information that would have to be retransmitted. If you
    # notice some packet loss, you may want to increase the size of
    # the receiver buffer. The default size is usually around
    # ~100 KBytes which is fairly small for busy firewalls.
    #
    RcvSocketBuffer 1249280

    #
    # Enable/Disable message checksumming. This is a good
    # property to achieve fault-tolerance. In case of doubt, do
    # not modify this value.
    #
    Checksum on
  }
  #
  # You can specify more than one dedicated link. Thus, if one dedicated
  # link fails, conntrackd can fail-over to another. Note that adding
  # more than one dedicated link does not mean that state-updates will
  # be sent to all of them. There is only one active dedicated link at
  # a given moment. The `Default' keyword indicates that this interface
  # will be selected as the initial dedicated link. You can have
  # up to 4 redundant dedicated links. Note: Use different multicast
  # groups for every redundant link.
  #
  # Multicast Default {
  #  IPv4_address 225.0.0.51
  #  Group 3781
  #  IPv4_interface 192.168.100.101
  #  Interface eth3
  #  # SndSocketBuffer 1249280
  #  # RcvSocketBuffer 1249280
  #  Checksum on
  # }

  #
  # You can use Unicast UDP instead of Multicast to propagate events.
  # Note that you cannot use unicast UDP and Multicast at the same
  # time, you can only select one.
  #
  # UDP {
    #
    # UDP address that this firewall uses to listen to events.
    #
    # IPv4_address 192.168.2.100
    #
    # or you may want to use an IPv6 address:
    #
    # IPv6_address fe80::215:58ff:fe28:5a27

    #
    # Destination UDP address that receives events, ie. the other
    # firewall's dedicated link address.
    #
    # IPv4_Destination_Address 192.168.2.101
    #
    # or you may want to use an IPv6 address:
    #
    # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c

    #
    # UDP port used
    #
    # Port 3780

    #
    # The name of the interface that you are going to use to
    # send the synchronization messages.
    #
    # Interface eth2

    #
    # The sender socket buffer size
    #
    # SndSocketBuffer 1249280

    #
    # The receiver socket buffer size
    #
    # RcvSocketBuffer 1249280

    #
    # Enable/Disable message checksumming.
    #
    # Checksum on
  # }

  #
  # Other unsorted options that are related to the synchronization.
  #
  # Options {
    #
    # TCP state-entries have window tracking disabled by default,
    # you can enable it with this option. As said, default is off.
    # This feature requires a Linux kernel >= 2.6.36.
    #
    # TCPWindowTracking Off
  # }
}

#
# General settings
#
General {
  #
  # Set the nice value of the daemon, this value goes from -20
  # (most favorable scheduling) to 19 (least favorable). Using a
  # very low value reduces the chances to lose state-change events.
  # Default is 0 but this example file sets it to most favourable
  # scheduling as this is generally a good idea. See man nice(1) for
  # more information.
  #
  Nice -20

  #
  # Select a different scheduler for the daemon, you can select between
  # RR and FIFO and the process priority (minimum is 0, maximum is 99).
  # See man sched_setscheduler(2) for more information. Using a RT
  # scheduler reduces the chances to overrun the Netlink buffer.
  #
  # Scheduler {
  #  Type FIFO
  #  Priority 99
  # }

  #
  # Number of buckets in the cache hashtable. The bigger it is,
  # the closer it gets to O(1) at the cost of consuming more memory.
  # Read some documents about tuning hashtables for further reference.
  #
  HashSize 32768

  #
  # Maximum number of conntracks, it should be double of:
  # $ cat /proc/sys/net/netfilter/nf_conntrack_max
  # since the daemon may keep some dead entries cached for possible
  # retransmission during state synchronization.
  #
  HashLimit 131072

  #
  # Logfile: on (/var/log/conntrackd.log), off, or a filename
  # Default: off
  #
  LogFile on

  #
  # Syslog: on, off or a facility name (daemon (default) or local0..7)
  # Default: off
  #
  #Syslog on

  #
  # Lockfile
  #
  LockFile /var/lock/conntrack.lock

  #
  # Unix socket configuration
  #
  UNIX {
    Path /var/run/conntrackd.ctl
    Backlog 20
  }

  #
  # Netlink event socket buffer size. If you do not specify this clause,
  # the default buffer size value in /proc/net/core/rmem_default is
  # used. This default value is usually around 100 Kbytes which is
  # fairly small for busy firewalls. This leads to event message dropping
  # and high CPU consumption. This example configuration file sets the
  # size to 2 MBytes to avoid this sort of problems.
  #
  NetlinkBufferSize 2097152

  #
  # The daemon doubles the size of the netlink event socket buffer size
  # if it detects netlink event message dropping. This clause sets the
  # maximum buffer size growth that can be reached. This example file
  # sets the size to 8 MBytes.
  #
  NetlinkBufferSizeMaxGrowth 8388608

  #
  # If the daemon detects that Netlink is dropping state-change events,
  # it automatically schedules a resynchronization against the Kernel
  # after 30 seconds (default value). Resynchronizations are expensive
  # in terms of CPU consumption since the daemon has to get the full
  # kernel state-table and purge state-entries that do not exist anymore.
  # Be careful of setting a very small value here. You have the following
  # choices: On (enabled, use default 30 seconds value), Off (disabled)
  # or Value (in seconds, to set a specific amount of time). If not
  # specified, the daemon assumes that this option is enabled.
  #
  # NetlinkOverrunResync On

  #
  # If you want reliable event reporting over Netlink, set on this
  # option. If you set on this clause, it is a good idea to set off
  # NetlinkOverrunResync. This option is off by default and you need
  # a Linux kernel >= 2.6.31.
  #
  # NetlinkEventsReliable Off

  #
  # By default, the daemon receives state updates following an
  # event-driven model. You can modify this behaviour by switching to
  # polling mode with the PollSecs clause. This clause tells conntrackd
  # to dump the states in the kernel every N seconds. With regards to
  # synchronization mode, the polling mode can only guarantee that
  # long-lifetime states are recovered. The main advantage of this method
  # is the reduction in the state replication at the cost of reducing the
  # chances of recovering connections.
  #
  # PollSecs 15

  #
  # The daemon prioritizes the handling of state-change events coming
  # from the core. With this clause, you can set the maximum number of
  # state-change events (those coming from kernel-space) that the daemon
  # will handle after which it will handle other events coming from the
  # network or userspace. A low value improves interactivity (in terms of
  # real-time behaviour) at the cost of extra CPU consumption.
  # Default (if not set) is 100.
  #
  # EventIterationLimit 100

  #
  # Event filtering: This clause allows you to filter certain traffic,
  # There are currently three filter-sets: Protocol, Address and
  # State. The filter is attached to an action that can be: Accept or
  # Ignore. Thus, you can define the event filtering policy of the
  # filter-sets in positive or negative logic depending on your needs.
  # You can select if conntrackd filters the event messages from
  # user-space or kernel-space. The kernel-space event filtering
  # saves some CPU cycles by avoiding the copy of the event message
  # from kernel-space to user-space. The kernel-space event filtering
  # is prefered, however, you require a Linux kernel >= 2.6.29 to
  # filter from kernel-space. If you want to select kernel-space
  # event filtering, use the keyword 'Kernelspace' instead of
  # 'Userspace'.
  #
  Filter From Userspace {
    #
    # Accept only certain protocols: You may want to replicate
    # the state of flows depending on their layer 4 protocol.
    #
    Protocol Accept {
      TCP
      SCTP
      DCCP
      # UDP
      # ICMP # This requires a Linux kernel >= 2.6.31
      # IPv6-ICMP # This requires a Linux kernel >= 2.6.31
    }

    #
    # Ignore traffic for a certain set of IP's: Usually all the
    # IP assigned to the firewall since local traffic must be
    # ignored, only forwarded connections are worth to replicate.
    # Note that these values depends on the local IPs that are
    # assigned to the firewall.
    #
    Address Ignore {
      IPv4_address 127.0.0.1 # loopback
      IPv4_address 192.168.0.100 # virtual IP 1
      IPv4_address 192.168.1.100 # virtual IP 2
      IPv4_address 192.168.0.1
      IPv4_address 192.168.1.1
      IPv4_address 192.168.100.100 # dedicated link ip
      #
      # You can also specify networks in format IP/cidr.
      # IPv4_address 192.168.0.0/24
      #
      # You can also specify an IPv6 address
      # IPv6_address ::1
    }

    #
    # Uncomment this line below if you want to filter by flow state.
    # This option introduces a trade-off in the replication: it
    # reduces CPU consumption at the cost of having lazy backup
    # firewall replicas. The existing TCP states are: SYN_SENT,
    # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
    # TIME_WAIT, CLOSED, LISTEN.
    #
    # State Accept {
    #  ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
    # }
  }
}

